Understanding and getting your credentials

You use different types of security credentials depending on how you interact with
AWS.
For example, you use a user name and password to sign in to the AWS Management Console.
You use access keys
to make programmatic calls to AWS API operations or to use AWS CLI commands.

If you forget or lose your credentials, you can't recover them. For security reasons,
AWS doesn't allow you to retrieve your passwords or secret access keys and does not
store
the private keys that are part of a key pair. However, you can create new credentials
and then
disable or delete the old credentials.

Note

Security credentials are account-specific. If you have access to multiple AWS
accounts, use the credentials that are associated with the account that you want to
access.

Getting AWS account root user credentials is different than getting IAM user credentials.
For
root user credentials, you get credentials, such as access keys or key pairs, from
the Security Credentials page in
the AWS Management Console. For IAM user credentials, you get credentials from the
IAM console.

The following list describes the types of AWS security credentials, when you might
use
them, and how to get each type of credential for the AWS account root user or for
an IAM user.

Email and password
(root user)

When you first create an Amazon Web Services (AWS) account, you begin with a single
sign-in
identity. That identity has complete access to all AWS services and resources in the
account. This
identity is called the AWS account root user. When you sign in,
enter the email address and password that you used to create the account.

Use your AWS account email address and password to sign in to the
AWS Management Console as the AWS account root user.

Note

If you see three text boxes, then you previously signed in to the console with
IAM user credentials.
Your browser might remember this preference and open this
account-specific sign-in page every time that you try to sign in.
You cannot use the IAM user sign-in page to sign in as the account owner. If you see
the
IAM user sign-in page, choose
Sign in using root user email near the bottom of the page. This returns you
to the main sign-in page. From there, you can sign in as the root user using your
AWS account email address and
password.

You can change the
email address and password on the Security Credentials page.
You can also choose Forgot password? on the AWS sign-in page to reset
your password.

IAM user name and password

Use AWS Identity and Access Management (IAM) to create unique user identities in AWS.
IAM users provide
their user names and passwords when they sign in to the AWS Management Console, AWS
discussion forums,
or AWS Support center.
In some cases, an
IAM user name and password are required to use a service, such as sending email with
SMTP
by using Amazon Simple Email Service (Amazon SES).

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) provides an extra level of security that you can
apply
to your AWS account. For additional security, we recommend that you require MFA on
the
AWS account root user credentials and highly privileged IAM users. For more information,
see Using Multi-Factor Authentication (MFA) in
AWS in the IAM User Guide.

With MFA enabled, when you sign in to the AWS website, you are prompted for your user
name and password, and an authentication code from an MFA device. Together, they provide
increased security for your AWS account settings and resources.

By default, MFA (multi-factor authentication) is not enabled. You can enable and manage
MFA devices for the AWS account root user by going to the Security Credentials page
or the IAM dashboard in the AWS Management Console.
For more information about enabling MFA for IAM users, see Enabling MFA Devices in the
IAM User Guide.

Access keys (access key ID and secret
access key)

Access keys consist of two parts: an access key ID (for example,
AKIAIOSFODNN7EXAMPLE) and a secret access key (for example,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to sign programmatic requests that
you make to AWS if you use AWS CLI commands (using the SDKs) or using AWS API operations.
For more information, see Signing AWS API requests. Like a user name and password, you must use
both the access key ID and secret access key together to authenticate your requests.
Manage
your access keys as securely as you do your user name and password.

When you create access keys, you create the access key ID and secret access key as
a
set. During access key creation, AWS gives you one opportunity to view and download
the
secret access key part of the access key. If you don't download it or if you lose
it, you
can delete the access key and then create a new one. You can create IAM user or root
user
access keys with the IAM console,
AWS CLI, or AWS API. To learn how to create IAM user access keys, see Managing Access Keys for IAM
Users in the IAM User Guide. To create access keys for your
root user, see Managing access keys for the AWS account root user in the IAM User Guide.
We strongly recommend that you do not use the root user for your everyday tasks, even
the
administrative ones. Instead, adhere to the best practice of using the root user
only to create your first IAM user. Then securely lock away the root user
credentials and use them to perform only a few account and service management tasks.
To view
the tasks that require you to sign in as the root user, see AWS Tasks That Require Root
User.

Important

Do not provide your access keys to a third party, even to help find your canonical user ID. By doing this, you
might give someone full access to your account.

A newly created access key has the status of active, which means
that you can use the access key for CLI and API calls. You are limited to two access keys for each
IAM user, which is useful when you want to rotate the
access keys. You can also assign up to two access keys to the root user. When you
disable an access key, you can't use it for API calls, and inactive keys do count
toward
your limit. You can create or delete an access key any time. However, when you delete
an
access key, it's gone forever and can't be retrieved.

You can also create and use temporary access keys, known as temporary security credentials. In addition to the access key ID and secret
access key, temporary security credentials include a security token that you must
send to
AWS when you use temporary security credentials. The advantage of temporary security
credentials is that they are short term. After they expire, they're no longer valid.
You can
use temporary access keys in less secure environments or distribute them to grant
users
temporary access to resources in your AWS account. For example, you can grant entities
from other AWS accounts access to resources in your AWS account (cross-account access).
You can also grant users who don't have AWS security credentials access to resources
in
your AWS account (federation). For more information, see Temporary Security Credentials in the
IAM User Guide. For information on the unique IDs that IAM
creates, including their prefixes (like the AKIA used in AKIAIOSFODNN7EXAMPLE,
above), see IAM Identifiers
in the IAM User Guide.

Key pairs

Key pairs are unrelated to access keys, and consist of a public key and a private
key.
You use the private key to create a digital signature, and then AWS uses the corresponding
public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon
CloudFront.

For Amazon EC2, you use key pairs to access Amazon EC2 instances, such as when you
use SSH to log
in to a Linux instance. For more information, see Connect to Your Linux Instances in the
Amazon EC2 User Guide for Linux Instances.

For Amazon CloudFront, you use key pairs to create signed URLs for private content,
such as when
you want to distribute restricted content that someone paid for. For more information,
see
Serving Private Content through
CloudFront in the Amazon CloudFront Developer Guide.

AWS does not provide key pairs for your account; you must create them. You can create
Amazon EC2 key pairs from the Amazon EC2 console, CLI, or API. For more information,
see Amazon EC2 Key Pairs in the
Amazon EC2 User Guide for Linux Instances.